Update integration tests to run Dex over HTTPS.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
This commit is contained in:
Matt Moyer 2020-11-16 14:04:08 -06:00
parent dd2133458e
commit b17ac6ec0b
No known key found for this signature in database
GPG Key ID: EAE88AD172C5AE2D
4 changed files with 76 additions and 20 deletions

View File

@ -265,6 +265,11 @@ if ! tilt_mode; then
popd >/dev/null popd >/dev/null
fi fi
#
# Download the test CA bundle that was generated in the Dex pod.
#
test_ca_bundle_pem="$(kubectl exec -n dex deployment/dex -- cat /var/certs/ca.pem)"
# #
# Create the environment file # Create the environment file
# #
@ -287,7 +292,8 @@ export PINNIPED_TEST_SUPERVISOR_CUSTOM_LABELS='${supervisor_custom_labels}'
export PINNIPED_TEST_SUPERVISOR_HTTP_ADDRESS="127.0.0.1:12345" export PINNIPED_TEST_SUPERVISOR_HTTP_ADDRESS="127.0.0.1:12345"
export PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS="localhost:12344" export PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS="localhost:12344"
export PINNIPED_TEST_PROXY=http://127.0.0.1:12346 export PINNIPED_TEST_PROXY=http://127.0.0.1:12346
export PINNIPED_TEST_CLI_OIDC_ISSUER=http://dex.dex.svc.cluster.local/dex export PINNIPED_TEST_CLI_OIDC_ISSUER=https://dex.dex.svc.cluster.local/dex
export PINNIPED_TEST_CLI_OIDC_ISSUER_CA_BUNDLE="${test_ca_bundle_pem}"
export PINNIPED_TEST_CLI_OIDC_CLIENT_ID=pinniped-cli export PINNIPED_TEST_CLI_OIDC_CLIENT_ID=pinniped-cli
export PINNIPED_TEST_CLI_OIDC_LOCALHOST_PORT=48095 export PINNIPED_TEST_CLI_OIDC_LOCALHOST_PORT=48095
export PINNIPED_TEST_CLI_OIDC_USERNAME=pinny@example.com export PINNIPED_TEST_CLI_OIDC_USERNAME=pinny@example.com

View File

@ -6,13 +6,15 @@
#@ load("@ytt:yaml", "yaml") #@ load("@ytt:yaml", "yaml")
#@ def dexConfig(): #@ def dexConfig():
issuer: http://dex.dex.svc.cluster.local/dex issuer: https://dex.dex.svc.cluster.local/dex
storage: storage:
type: sqlite3 type: sqlite3
config: config:
file: ":memory:" file: ":memory:"
web: web:
http: 0.0.0.0:80 https: 0.0.0.0:443
tlsCert: /var/certs/dex.pem
tlsKey: /var/certs/dex-key.pem
oauth2: oauth2:
skipApprovalScreen: true skipApprovalScreen: true
staticClients: staticClients:
@ -67,24 +69,59 @@ spec:
annotations: annotations:
dexConfigHash: #@ sha256.sum(yaml.encode(dexConfig())) dexConfigHash: #@ sha256.sum(yaml.encode(dexConfig()))
spec: spec:
initContainers:
- name: generate-certs
image: cfssl/cfssl:1.5.0
imagePullPolicy: IfNotPresent
command: ["/bin/bash"]
args:
- -c
- |
cd /var/certs
cfssl print-defaults config > /tmp/cfssl-default.json
echo '{"CN": "Pinniped Test","hosts": [],"key": {"algo": "ecdsa","size": 256},"names": [{}]}' > csr.json
echo "generating CA key..."
cfssl genkey \
-config /tmp/cfssl-default.json \
-initca csr.json \
| cfssljson -bare ca
echo "generating Dex server certificate..."
cfssl gencert \
-ca ca.pem -ca-key ca-key.pem \
-config /tmp/cfssl-default.json \
-profile www \
-cn "dex.dex.svc.cluster.local" \
-hostname "dex.dex.svc.cluster.local" \
csr.json \
| cfssljson -bare dex
volumeMounts:
- name: certs
mountPath: /var/certs
containers: containers:
- name: dex - name: dex
image: quay.io/dexidp/dex:v2.10.0 image: quay.io/dexidp/dex:v2.10.0
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: command:
- /usr/local/bin/dex - /usr/local/bin/dex
- serve - serve
- /etc/dex/cfg/config.yaml - /etc/dex/cfg/config.yaml
ports: ports:
- name: http - name: https
containerPort: 80 containerPort: 443
volumeMounts: volumeMounts:
- name: config - name: dex-config
mountPath: /etc/dex/cfg mountPath: /etc/dex/cfg
- name: certs
mountPath: /var/certs
readOnly: true
volumes: volumes:
- name: config - name: dex-config
configMap: configMap:
name: dex-config name: dex-config
- name: certs
emptyDir: {}
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
@ -98,4 +135,5 @@ spec:
selector: selector:
app: dex app: dex
ports: ports:
- port: 80 - port: 443
name: https

View File

@ -130,8 +130,8 @@ func getLoginProvider(t *testing.T) *loginProviderPatterns {
}, },
{ {
Name: "Dex", Name: "Dex",
IssuerPattern: regexp.MustCompile(`\Ahttp://dex\.dex\.svc\.cluster\.local/dex.*\z`), IssuerPattern: regexp.MustCompile(`\Ahttps://dex\.dex\.svc\.cluster\.local/dex.*\z`),
LoginPagePattern: regexp.MustCompile(`\Ahttp://dex\.dex\.svc\.cluster\.local/dex/auth/local.+\z`), LoginPagePattern: regexp.MustCompile(`\Ahttps://dex\.dex\.svc\.cluster\.local/dex/auth/local.+\z`),
UsernameSelector: "input#login", UsernameSelector: "input#login",
PasswordSelector: "input#password", PasswordSelector: "input#password",
LoginButtonSelector: "button#submit-login", LoginButtonSelector: "button#submit-login",
@ -170,6 +170,7 @@ func TestCLILoginOIDC(t *testing.T) {
agouti.Desired(caps), agouti.Desired(caps),
agouti.ChromeOptions("args", []string{ agouti.ChromeOptions("args", []string{
"--no-sandbox", "--no-sandbox",
"--ignore-certificate-errors",
"--headless", // Comment out this line to see the tests happen in a visible browser window. "--headless", // Comment out this line to see the tests happen in a visible browser window.
}), }),
// Uncomment this to see stdout/stderr from chromedriver. // Uncomment this to see stdout/stderr from chromedriver.
@ -413,6 +414,15 @@ func oidcLoginCommand(ctx context.Context, t *testing.T, pinnipedExe string, ses
"--session-cache", sessionCachePath, "--session-cache", sessionCachePath,
"--skip-browser", "--skip-browser",
) )
// If there is a custom CA bundle, pass it via --ca-bundle and a temporary file.
if env.OIDCUpstream.CABundle != "" {
path := filepath.Join(t.TempDir(), "test-ca.pem")
require.NoError(t, ioutil.WriteFile(path, []byte(env.OIDCUpstream.CABundle), 0600))
cmd.Args = append(cmd.Args, "--ca-bundle", path)
}
// If there is a custom proxy, set it using standard environment variables.
if env.Proxy != "" { if env.Proxy != "" {
cmd.Env = append(os.Environ(), cmd.Env = append(os.Environ(),
"http_proxy="+env.Proxy, "http_proxy="+env.Proxy,

View File

@ -48,6 +48,7 @@ type TestEnv struct {
OIDCUpstream struct { OIDCUpstream struct {
Issuer string `json:"issuer"` Issuer string `json:"issuer"`
CABundle string `json:"caBundle" `
ClientID string `json:"clientID"` ClientID string `json:"clientID"`
LocalhostPort int `json:"localhostPort"` LocalhostPort int `json:"localhostPort"`
Username string `json:"username"` Username string `json:"username"`
@ -130,6 +131,7 @@ func loadEnvVars(t *testing.T, result *TestEnv) {
result.Proxy = os.Getenv("PINNIPED_TEST_PROXY") result.Proxy = os.Getenv("PINNIPED_TEST_PROXY")
result.OIDCUpstream.Issuer = needEnv(t, "PINNIPED_TEST_CLI_OIDC_ISSUER") result.OIDCUpstream.Issuer = needEnv(t, "PINNIPED_TEST_CLI_OIDC_ISSUER")
result.OIDCUpstream.CABundle = os.Getenv("PINNIPED_TEST_CLI_OIDC_ISSUER_CA_BUNDLE")
result.OIDCUpstream.ClientID = needEnv(t, "PINNIPED_TEST_CLI_OIDC_CLIENT_ID") result.OIDCUpstream.ClientID = needEnv(t, "PINNIPED_TEST_CLI_OIDC_CLIENT_ID")
result.OIDCUpstream.LocalhostPort, _ = strconv.Atoi(needEnv(t, "PINNIPED_TEST_CLI_OIDC_LOCALHOST_PORT")) result.OIDCUpstream.LocalhostPort, _ = strconv.Atoi(needEnv(t, "PINNIPED_TEST_CLI_OIDC_LOCALHOST_PORT"))
result.OIDCUpstream.Username = needEnv(t, "PINNIPED_TEST_CLI_OIDC_USERNAME") result.OIDCUpstream.Username = needEnv(t, "PINNIPED_TEST_CLI_OIDC_USERNAME")